Описание
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Отчет
OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw. This version of XStream library will be delivered in the future Jenkins releases. [1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc [2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | xstream | Out of support scope | ||
| Red Hat CodeReady Studio 12 | xstream | Affected | ||
| Red Hat Fuse 7 | xstream | Not affected | ||
| Red Hat JBoss A-MQ 6 | xstream | Out of support scope | ||
| Red Hat JBoss BRMS 5 | xstream | Out of support scope | ||
| Red Hat JBoss BRMS 6 | xstream | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | xstream | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | xstream | Out of support scope | ||
| Red Hat JBoss Fuse 6 | xstream | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | xstream | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
XStream is a simple library to serialize objects to XML and back again ...
EPSS
6.5 Medium
CVSS3